Hi all, I did get this resolved after coming across a blog post here: https://apereo.github.io/2018/01/08/cas-mfa-duosecurity/
I stripped my Duo configuration to only what was included in the blog post, and all is working as expected now. -Matt On Tuesday, July 9, 2019 at 8:17:29 AM UTC-6, Matthew Uribe wrote: > > Hello Community, > > We use Duo for 2FA and have successfully used it with CAS for a single > application. Recently we decided to enable 2FA for all applications using > cas.authn.mfa.globalProviderId=mfa-duo and are now finding that each > application requires that the user authenticate to the CAS login page. > Setting the Duo page to "Remember me for 7 days" doesn't seem to make a > difference. Whether the service is using CAS or SAML doesn't seem to make a > difference. Enabling 2FA at the service level, rather than globally, yields > the same results. Any service which is 2FA enabled is requiring that users > auth for each application, which is obviously counter to the idea of a > single sign on. Has anyone else who uses 2FA run into this? I can't imagine > this is the best outcome, but as I look through the available settings > here > <https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#duosecurity> > > I don't see what else I might need to configure. > > To put it another way, Duo only prompts once, at the first authentication, > but thereafter, each application is redirected to the login page for > username password auth. > > The relevant portion of my cas.properties is: > > #Configure Duo authentication properties > cas.authn.mfa.globalFailureMode: OPEN > cas.authn.mfa.globalProviderId: mfa-duo > #cas.sso.renewedAuthn=false #(This was only for experimentation purpose - > made no difference) > cas.authn.mfa.duo[0].duoApiHost: redacted > cas.authn.mfa.duo[0].duoIntegrationKey: redacted > cas.authn.mfa.duo[0].duoSecretKey: redacted > cas.authn.mfa.duo[0].trustedDeviceEnabled: false #(Also tried setting > this to true - made no difference) > cas.authn.mfa.duo[0].duoApplicationKey: redacted > cas.authn.mfa.duo[0].id: mfa-duo > > > Any help would be greatly appreciated. > > Thanks, > Matt Uribe > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a23a0ec-7f55-418b-bf54-76c1f2145977%40apereo.org.
